One-time Form tokens

Thursday, 12 April 2007

What is a form token?

A form token provides protection against forms of attacks against your site (e.g.CSRF *), which allows a hacker to use your form in a way it wasn’t intended. The idea being that a form token appears as a hidden field that can only be used once.

How do you create one?

It should be a random key, which is longer than 5 characters, and ideally mixed case alphanumeric and non-alphanumeric characters that is then hashed using MD5 or SHA1 or similar hashing method with a salt *. The form token should only be able to be used for that session and that user.

How do you use it?

Before a sensitive action is performed for example buying a product, you check that the form token was sent correctly and matches the one you stored on the server for that user. If the token matches then the action is performed and the token cannot be used again, if it does not match the action will not be performed.

References

The entry 'One-time Form tokens' was posted
on April 12th, 2007 at 2:36 pm
and is filed under php, Security.
You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

2 Responses to “One-time Form tokens”

It sounds like a good solution. It would be good for me but I have systems where its an issues to store server state. I try and operate with a REST model trying to ensure that there is little to no state at the server. Using cookies where possible for logins. Is it impossible to protect against this sort of attack without relying on server state?